ccTLD Security Understanding the Anxiety and Consequences Barry - - PowerPoint PPT Presentation

ccTLD Security Understanding the Anxiety and Consequences

Barry Raveendran Greene bgreene@isc.org

2

Agenda

• ccTLD Security is not “new”
• Cybercriminal Toolkit
• Understanding why security people are irritated

might help to provide context.

• Criminal Complicity, Internet Embargo, Chain of

Consequence

• What can a ccTLD do now?

3

ccTLD Security is not “New”

• ICANN - Attack and Contingency Response

Planning (ACRP)

• Country-Code Top-Level Domain Best Current

Practices (draft-wenzel-cctld-bcp-02.txt – expired)

• APTLD Guidelines for Operation of DNS

Infrastructure by ccTLDs

• Lots of presentations:

– ICANN and DNS Security, Stability and Resiliency Activities by Greg Rattray – Best Practices of a ccTLD Registry by Adrian Kinderis – Introducing ICANN Security, Stability and Resiliency Activities - DNS Security Training – by Yurie Ito – ccTLD Best Practices by Michuki Mwangi – ccTLD Best Practices & Considerations by John Crain – ccTLD Best Practices & Considerations by Kim Davies

4

Cyber Criminal Toolkit

5

Stage Domain Name

Drive-By Secondary Malware

SPAM BOTNET

Controller Proxy

BOT Herder

Packer Malware

Get Domain Stage on NS

• r FF NS

Victim of Crime

TLD Domain Name Servers

6

Prepare Drive-by

Drive-By Secondary Malware

SPAM BOTNET

Controller Proxy

BOT Herder

Packer Malware

Send

Malware

Load

Malware

Victim of Crime

TLD Domain Name Servers

7

Send SPAM to get People To Click

Drive-By Secondary Malware

SPAM BOTNET

Controller Proxy Packer Malware

Send SPAM Click on me now

Victim of Crime

BOT Herder

TLD Domain Name Servers

8

Drive By Violation

Drive-By Secondary Malware

SPAM BOTNET

Controller Proxy Packer Malware

Click on me now

Victim of Crime

BOT Herder

TLD Domain Name Servers

9

Poison Anti-Virus Updates

Drive-By Secondary Malware

SPAM BOTNET

Controller Proxy Packer Malware

Victim of Crime

Poison the anti-virus updates All updates to 127.0.0.1

Anti-Virus Vendor

BOT Herder

TLD Domain Name Servers

10

Prepare Violated Computer

Drive-By Secondary Malware

SPAM BOTNET

Controller Proxy Packer Malware

Victim of Crime

Call to Secondary Malware Site Load Secondary Package

Anti-Virus Vendor

BOT Herder

TLD Domain Name Servers

11

Call Home

Drive-By Secondary Malware

SPAM BOTNET

Controller Proxy Packer Malware

Victim of Crime

Call to Controller Report:

• Operating System
• Anti-virus
• Location on the Net
• Software
• Patch Level
• Bandwidth
• Capacity of the computer

BOT Herder

TLD Domain Name Servers

12

We do not know how to lock this guy in jail!

What can an ANS do?

Drive-By Secondary Malware

SPAM BOTNET

Controller Proxy Packer Malware

Victim of Crime Make SPAM Harder Disrupt Drive- By Phishing Disrupt Controllers Clean Violated Data Centers Help your victimized customers

BOT Herder

TLD Domain Name Servers

Disrupt the NS Infrastructure Filter Based

• n TLD

13

Why Cyber-Crime is Institutionalized?

14

Our Traditional View of the World

15

The Reality of the Internet No Borders

How to project civic society and the rule of law where there is no way to enforce the law?

16

Three Major Threat Vectors

• Critical Infrastructure has three major

threat drivers:

– Community #1 Criminal Threat

• Criminal who use critical infrastructure as a tools to commit
• crime. Their motivation is money.

– Community #2 War Fighting, Espionage and Terrorist Threat

• What most people think of when talking about threats to

critical infrastructure.

– Community #3 P3 (Patriotic, Passion, & Principle) Threat

• Larges group of people motivated by cause – be it national

pride (i.e. Estonia & China) or a passion (i.e. Globalization is Wrong)

17

Essential Criminal Principles

• There are key essential principles to a successful

miscreant (i.e. cyber criminal)

• These principles need to be understood by all

Security Professionals

• Understanding allows one to cut to the core

concerns during security incidents

• Attacking the dynamics behind these principles

are the core ways we have to attempt a disruption of the Miscreant Economy

18

Principles of Successful Cybercriminals

• 1. Don’t Get Caught
• 2. Don’t work too hard
• 3. Follow the money
• 4. If you cannot take out the target, move the

attack to a coupled dependency of the target

• 5. Always build cross jurisdictional attack vectors
• 6. Attack people who will not prosecute
• 7. Stay below the pain threshold

19

Principle 1: Do Not Get Caught!

• The first principle is the most important – it is

no fun getting caught, prosecuted, and thrown in jail

– (or in organized crime – getting killed)

• All threat vectors used by a miscreant will have

an element of un-traceability to the source

• If a criminate activity can be traced, it is one of

three things:

• 1. A violated computer/network resources used

by the miscreant

• 2. A distraction to the real action
• 3. A really dumb newbie

20

Principle 2: Do Not Work Too Hard!

• Use the easiest attack/penetration vector

available in the toolkit to achieve the job’s objective

• Example: If your job is to take out a company’s

Internet access the day of the quarterly number’s announcement, would you:

• 1. Penetrate the Site and Delete files?
• 2. Build a custom worm to create havoc in the company?
• 3. DOS the Internet connection?
• 4. DOS the SP supporting the connection?

Why Use DNS “Noisy” Poisoning when it is easier to violate a ccTLD?

21

Principle 3: Follow the Money

• If there is no money in the crime then it is not

worth the effort.

• Follow the money is the flow of money or

exchanged value as one miscreant transfers value to another miscreant (or the victim transfers value to the criminal)

• A Cyber-Criminal Treat Vector opens when the

miscreant finds a way to move ‘stored value’ from the victim through the economy

• It is worse if the cyber ‘stored value’ can cross
• ver to normal economic exchange

22

Principle 4: If You Cannot Take Out The Target…

• If you cannot take out the target, move the

attack to a coupled dependency of the target

• There are lots of coupled dependencies in

a system:

– The target’s supporting PE router – Control Plane – DNS Servers – State Devices (Firewalls, IPS, Load Balancers)

• Collateral Damage!

23

Principle 5: Always Build Cross Jurisdictional Attack Vectors

• Remember – Don’t get

caught! Do make sure ever thing you do is cross jurisdictional.

• Even better – cross the

law systems (Constitutional, Tort, Statutory, Islamic, etc.)

• Even Better – Make

sure your “gang” is multi-national – making it harder for Law Enforcement

BOTNET HUB

BOTNET LEAF Kuwait BOTNET LEAF China BOTNET LEAF Norway BOTNET LEAF Australia BOTNET LEAF Japan BOTNET LEAF US

24

Principle 6: Attack People Who Will NOT Prosecute

• If your activity is something that would not want everyone

around you to know about, then you are a miscreant target

• Why? Cause when you become a victim, you are not

motivated to call the authorities

• Examples:

– Someone addicted to gambling is targeted via a Phishing site – Someone addicted to porn is targeted to get botted – Someone addicted to chat is targeted to get botted – Someone new to the Net is targeted and abused on the physical world – Government, Finance, and Defense, Employees – who lose face when they have to call INFOSEC

25

Principle 7: Stay below the Pain Threshold

• The Pain Threshold is the point where an SP or

Law Enforcement would pay attention

• If you are below the pain threshold – where you

do not impact an SP’s business, then the SP’s Executive Management do not care to act

• If you are below the pain threshold – where you

do not have a lot of people calling the police, then the Law Enforcement and Elected Official do not care to act

• The Pain Threshold is a matter of QOS, Resource

Management, and picking targets which will not trigger action

26

Criminal Trust

• Miscreants will guardedly trust each other
• They can be competitors
• They can be collaborators
• But when there is money on the table, criminal

human behavior and greed take over.

• Cybercriminal cannibalize each other’s

infrastructure.

• Cybercriminals attack each other’s infrastructure.

Internet

DDOS DDOS

27

Dire Consequences

• The Miscreant Economy is not a joke. It is not

a game. It is not something to play with.

– PEOPLE DIE

• Once organized crime enter the world of the

Miscreant Economy, the days of fun were over.

• Now that Cyber-Criminals will use any resource
• n the net to commit their crime, they don’t

worry about the collateral damage done.

– Think of computer resources at a hospital, power plant,

• r oil refinery – infected and used to commit phishing

and card jacking. – What happens if someone gets mad at the phishing site, attacks it in retaliation, unintentionally knocking out a key systems.

28

Enduring Financial Opportunities

Enduring criminal financial opportunities:

• Extortion
• Advertising
• Fraudulent sales
• Identity theft and financial fraud
• Theft of goods/services
• Espionage/theft of information

Postulate: Strong, Enduring Criminal Financial Opportunities Will Motivate Participants in the Threat Economy to Innovate to Overcome New Technology Barriers Placed in Their Way

29

Threat Economy: In the Past

End Value

Espionage (Corporate/ Government) Fame Theft

Writers Asset

Worms Tool and Toolkit Writers Viruses Trojans Malware Writers Compromise Individual Host or Application Compromise Environment

30

Threat Economy: Today

Writers Middle Men Second Stage Abusers

Bot-Net Management: For Rent, for Lease, for Sale Bot-Net Creation Personal Information Electronic IP Leakage

$$$ Flow of Money $$$

Worms Tool and Toolkit Writers Viruses Trojans Malware Writers

First Stage Abusers

Machine Harvesting Information Harvesting Hacker/Direct Attack Internal Theft: Abuse of Privilege Information Brokerage Spammer Phisher Extortionist/ DDoS-for-Hire Pharmer/DNS Poisoning Identity Theft Compromised Host and Application

End Value

Financial Fraud Commercial Sales Fraudulent Sales Click-Through Revenue Espionage (Corporate/ Government) Criminal Competition Extorted Pay-Offs Theft Spyware

31

Peak

Trough

Recession

Expansion

These Cycles Repeat

Incidents time

Miscreant - Incident Economic Cycles

Lots of Problems & Attacks Community Mitigation Miscreant & Criminal R&D New Criminal Revenue Opportunities Resolve the Problem Drive the Post Mortem Drive the Preparation Survive the Next Attack

32

Expansion Expansion Recession

Miscreant Economic Cycles

Incident Growth Trend Trough Peak

Jan.- Mar

Total Incidents

Apr.- June July- Sept. Oct.- Dec. Jan.- Mar Apr.- June July- Sept. Oct.- Dec. Jan.- Mar Apr.- June

33

What will we do when the Cyber-Criminals …

• Retaliate! Historically, Organized Crime will retaliate against

civic society to impose their will and influence on civic society.

– What will the today’s organized crime to in a cyber equivalent world?

• How will the world respond when:

– We cannot as a global society investigate and prosecute International crime? – Too much dependence on “security vendors” for protection.

• Global Telecom’s Civic Society has to step forward – work

with each other collectively to protect their interest.

34

Criminal Complicity, Internet Embargo, Chain of Consequence

35

“Brand” Jeopardy

• What happens when the “TLD” Brand projects the

perception of “tainted?”

“Once a ccTLD, ASN, IP, Hosting company is assumed to be bad it has a detrimental effect on both its industry standing as well as its brand (and ultimately bottom line). So if a ccTLD or hosting provider becomes known as "the bad guy(s)" and it becomes acceptable from an end user organizations perspective to filter/ block that portion of infrastructure it will have very real effects

• n any legitimate commerce that crosses into/over the that
• infrastructure. Real examples of this can be found in various

IDS, IP Block lists, reputation engines, and spam scoring engines (spam assassin comes to mind) and the responses of the

• rganizations who were effected by them.” - Andre Ludwig

aludwig@packetspy.com

• In other words, perception is reality. The ccTLD’s

problem is that the Paul Bauran – End-to-End model puts the power of action in the hands of the many.

36

Autonomous Systems

• Within the Internet, an Autonomous System

(AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet.

• In this system, “control” is defined by the

“operator” based on the contractual needs of their “constituents.”

• “Clearly Defined Routing Policy” can be BGP,

Packet Filtering, Services, and DNS

• In other words, the power of who connects

to whom is in the hands of the ASN.

37

Community Action Can Have an Impact

Source: http://voices.washingtonpost.com/securityfix/2008/11/64_69_65_73_70_61_6d_64_69_65.html

38

ASN and TLD Filtering

• Any organization – be it a ASN or a end point –

has control over who the communicate.

• It is not a technology limitation anymore. The

tools are available via vendors and open source to block access to locations on the Net which are the empirical source of risk.

ASN

Trust Broken

TLD

Trust Broken

ASN

Policy

39

Internet Embargo

• When a group of organizations all collectively band together

to protect themselves from imposed business risk, you move from simple filtering to a “Internet Embargo.”

• Internet Embargo has co-lateral impact. Think Hospitals,

Business, E-Gov, & other critical institutional organizations who depend on the TLD.

Trust Broken

TLD

Trust Broken

ASN

ASN

Polic y

ASN

Polic y

ASN

Polic y

ASN

Polic y

ASN

Polic y

40

What can a ccTLD do now?

41

National Cyber Teams

Aggressive Collaboration is the Key

NSP-SEC

NSP-SEC-BR NSP-SEC-JP

FIRST/CERT Teams

NSP-SEC-D Drone-Armies NSP-SEC-CN FUN-SEC

Telecoms ISAC

Other ISACs

MWP

Hijacked

DSHIELD iNOC-DBA

Note: We are not trying to illustrate actual inter-relational or interactive connections between the different communities.

OPSEC Trust

Internet Storm Center SANS

II YASML FS ISAC ISACs Conficker Cabal

SCADA Security

OPEC Trust

42

Are you part of the new “Civic Society?

• Are you sitting back and trusting your “security

vendors?”

• Or, are you stepping forward, working with all
• thers with like interest in Global Telecom’s Civic

Society to go after and shutdown the miscreants?

• Three Recommendations for TLDs Organizations

to get started:

– NXDomains – ICANN Training and Guidelines (Engagement with SSAC). – Alliance with your Upstream Transit Providers

43

NXDomains

• This list is dedicated to the notification, investigation, and

takedown of malicious domains.

– This is the community who works within the DNS Registry/ Registrar system to remove validated malicious domains. – Interface between the Operational Security Community and the DNS Registry/Registrar system – "best effort" community, that operates based on all parties expending their best level of effort to tackle an issue.

• Members range from registries, registrars, law

enforcement, to vetted security professionals.

• E-mail to nxadmins@opensecnet.com to apply for

membership.

NxDomains results is a way to demonstrate a desire to act through best effort action.

44

ICANN SSAC

• Take advantage of the focused effort to build

security and resiliency in the TLD community.

– http://www.icann.org/en/committees/security/

45

• How will the world know to trust your ccTLD as
• ne who has the collective best interest as an

important value?

• Working with your upstream ISP’s security and
• perations teams is a first step. It builds a

working relationship of action and trust that can be used as a reference to others.

ISP 1 ISP 2 Cc-TLD ISP 3 Bank

Trust Trust Trust

Because ISP 1 trust cc-TLD, ISP 2 , ISP 3, and the “Bank” can also trust the cc-TLD.

46

Summary and Quetions